Re: client-side support for Negotiate authentication scheme
Hello Roman, that was a pleasure to work with you too! Thanks a lot for your contribution and your nice message. Good luck for the future! Best regards, Thierry Boileau -- Restlet ~ Core developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com Hi all I have added NegotiateFilter as an attachment to http://restlet.tigris.org/issues/show_bug.cgi?id=444 Please note that will be starting a new job in two weeks and I will not be able to work with Restlet in the foreseeable future in my day job. Working with Restlet and its responsive community has been a great experience for me. I wish you and the Restlet project the best luck! Roman PS: a copy of the README file... NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. If HTTP Negotiate authentication is not successful the filter tries to fall back to HTTP Basic authentication. The checkSecret() method is used to implement HTTP Basic authentication. The MyNegotiateFilter example subclass uses JAAS to check the username/password combination. NegotiateFilter comes with a runnable test client and test server (using the JAX-RS extension). The code has only been tested for a few weeks in a Windows Active Directory environment but theoretically should work with any Kerberos v5 infrastructure. HTTP Negotiate authentication has been successfully tested with Firefox and Internet Explorer webbrowsers as clients. The fallback to HTTP Basic authentication has been tested with Firefox, Internet Explorer, Safari, Opera and Google Chrome. The code has been tested with Restlet 1.1.1. The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. The NegotiateFilter class is based on Bruno Harbulot's SpnegoFilter (see the NegotiateFilter.java source file for license details). Bruno Harbulot wrote: Hi Roman and Jerome, Sorry for the delay. I've just added the tarball to the issue tracker: http://restlet.tigris.org/issues/show_bug.cgi?id=444 Best wishes, Bruno. Jerome Louvel wrote: Hi Bruno, I would suggest that you attach a zip with your source code to the existing issue in the tracker (or a new one). Once, we create the 1.1 branch, we could use the trunk to land this but it is a bit premature for now. Best regards, Jérôme Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -Message d'origine- De : news [mailto:[EMAIL PROTECTED]] De la part de Bruno Harbulot Envoyé : mercredi 1 octobre 2008 12:50 À : discuss@restlet.tigris.org Objet : Re: client-side support for Negotiate authentication scheme Hi all, I'd be happy to put it in the Restlet repository. Jerome, do you have any preferred place in the repository for this? By the way, I had mentioned I had started some work on the structure of the Guards, etc. (mostly for my project's needs but that could be used for 1.2). Perhaps it could be time to put it somewhere in the Restlet code-base too. I was going to wait for the 1.1 release, but if Roman is doing some work on this type of problem too, we might as well try to coordinate our work. Best wishes, Bruno. Roman Geus wrote: Hi Jerome Thanks for pointing out the necessary steps. I'll wait until Bruno's code has been contributed to the repository and then do my part. Best regards, Roman Jerome Louvel wrote: Hi Roman, Bruno and all, Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk. Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it. "Support SPNEGO authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=444
Re: client-side support for Negotiate authentication scheme
Good luck, Roman, and thanks! This is really a cool feature. We don't do much work with Windows authenticated environments any more (thank heaven) but there are so many cases where this would have been a game changer, and I'm sure it will come up more than once in the future. On Thu, Nov 13, 2008 at 6:32 AM, Roman Geus <[EMAIL PROTECTED]> wrote: > Please note that will be starting a new job in two weeks and I will not be > able to work with Restlet in the foreseeable future in my day job.
Re: client-side support for Negotiate authentication scheme
Hi all I have added NegotiateFilter as an attachment to http://restlet.tigris.org/issues/show_bug.cgi?id=444 Please note that will be starting a new job in two weeks and I will not be able to work with Restlet in the foreseeable future in my day job. Working with Restlet and its responsive community has been a great experience for me. I wish you and the Restlet project the best luck! Roman PS: a copy of the README file... NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. If HTTP Negotiate authentication is not successful the filter tries to fall back to HTTP Basic authentication. The checkSecret() method is used to implement HTTP Basic authentication. The MyNegotiateFilter example subclass uses JAAS to check the username/password combination. NegotiateFilter comes with a runnable test client and test server (using the JAX-RS extension). The code has only been tested for a few weeks in a Windows Active Directory environment but theoretically should work with any Kerberos v5 infrastructure. HTTP Negotiate authentication has been successfully tested with Firefox and Internet Explorer webbrowsers as clients. The fallback to HTTP Basic authentication has been tested with Firefox, Internet Explorer, Safari, Opera and Google Chrome. The code has been tested with Restlet 1.1.1. The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. The NegotiateFilter class is based on Bruno Harbulot's SpnegoFilter (see the NegotiateFilter.java source file for license details). Bruno Harbulot wrote: Hi Roman and Jerome, Sorry for the delay. I've just added the tarball to the issue tracker: http://restlet.tigris.org/issues/show_bug.cgi?id=444 Best wishes, Bruno. Jerome Louvel wrote: Hi Bruno, I would suggest that you attach a zip with your source code to the existing issue in the tracker (or a new one). Once, we create the 1.1 branch, we could use the trunk to land this but it is a bit premature for now. Best regards, Jérôme Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -Message d'origine- De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot Envoyé : mercredi 1 octobre 2008 12:50 À : discuss@restlet.tigris.org Objet : Re: client-side support for Negotiate authentication scheme Hi all, I'd be happy to put it in the Restlet repository. Jerome, do you have any preferred place in the repository for this? By the way, I had mentioned I had started some work on the structure of the Guards, etc. (mostly for my project's needs but that could be used for 1.2). Perhaps it could be time to put it somewhere in the Restlet code-base too. I was going to wait for the 1.1 release, but if Roman is doing some work on this type of problem too, we might as well try to coordinate our work. Best wishes, Bruno. Roman Geus wrote: Hi Jerome Thanks for pointing out the necessary steps. I'll wait until Bruno's code has been contributed to the repository and then do my part. Best regards, Roman Jerome Louvel wrote: Hi Roman, Bruno and all, Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk. Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it. "Support SPNEGO authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=444
Re: client-side support for Negotiate authentication scheme
Hi Roman and Jerome, Sorry for the delay. I've just added the tarball to the issue tracker: http://restlet.tigris.org/issues/show_bug.cgi?id=444 Best wishes, Bruno. Jerome Louvel wrote: Hi Bruno, I would suggest that you attach a zip with your source code to the existing issue in the tracker (or a new one). Once, we create the 1.1 branch, we could use the trunk to land this but it is a bit premature for now. Best regards, Jérôme Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -Message d'origine- De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot Envoyé : mercredi 1 octobre 2008 12:50 À : discuss@restlet.tigris.org Objet : Re: client-side support for Negotiate authentication scheme Hi all, I'd be happy to put it in the Restlet repository. Jerome, do you have any preferred place in the repository for this? By the way, I had mentioned I had started some work on the structure of the Guards, etc. (mostly for my project's needs but that could be used for 1.2). Perhaps it could be time to put it somewhere in the Restlet code-base too. I was going to wait for the 1.1 release, but if Roman is doing some work on this type of problem too, we might as well try to coordinate our work. Best wishes, Bruno. Roman Geus wrote: Hi Jerome Thanks for pointing out the necessary steps. I'll wait until Bruno's code has been contributed to the repository and then do my part. Best regards, Roman Jerome Louvel wrote: Hi Roman, Bruno and all, Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk. Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it. "Support SPNEGO authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=444
RE: client-side support for Negotiate authentication scheme
Hi Bruno, I would suggest that you attach a zip with your source code to the existing issue in the tracker (or a new one). Once, we create the 1.1 branch, we could use the trunk to land this but it is a bit premature for now. Best regards, Jérôme Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -Message d'origine- De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot Envoyé : mercredi 1 octobre 2008 12:50 À : discuss@restlet.tigris.org Objet : Re: client-side support for Negotiate authentication scheme Hi all, I'd be happy to put it in the Restlet repository. Jerome, do you have any preferred place in the repository for this? By the way, I had mentioned I had started some work on the structure of the Guards, etc. (mostly for my project's needs but that could be used for 1.2). Perhaps it could be time to put it somewhere in the Restlet code-base too. I was going to wait for the 1.1 release, but if Roman is doing some work on this type of problem too, we might as well try to coordinate our work. Best wishes, Bruno. Roman Geus wrote: > Hi Jerome > > Thanks for pointing out the necessary steps. > > I'll wait until Bruno's code has been contributed to the repository and > then do my part. > > Best regards, > Roman > > > Jerome Louvel wrote: >> Hi Roman, Bruno and all, >> >> Roman, thanks for reporting this parsing bug with WWW-Authenticate >> HTTP header. I have just fixed it in SVN trunk. >> >> Regarding the support for SPNEGO, I've updated the related RFE with a >> link to Bruno's original filter and another one back to this thread. >> I've also changed the target milestone of this RFE to 1.2 as it seems >> there is a good chance we could effectively add support for it. >> >> "Support SPNEGO authentication" >> http://restlet.tigris.org/issues/show_bug.cgi?id=444
Re: client-side support for Negotiate authentication scheme
Hi all, I'd be happy to put it in the Restlet repository. Jerome, do you have any preferred place in the repository for this? By the way, I had mentioned I had started some work on the structure of the Guards, etc. (mostly for my project's needs but that could be used for 1.2). Perhaps it could be time to put it somewhere in the Restlet code-base too. I was going to wait for the 1.1 release, but if Roman is doing some work on this type of problem too, we might as well try to coordinate our work. Best wishes, Bruno. Roman Geus wrote: Hi Jerome Thanks for pointing out the necessary steps. I'll wait until Bruno's code has been contributed to the repository and then do my part. Best regards, Roman Jerome Louvel wrote: Hi Roman, Bruno and all, Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk. Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it. "Support SPNEGO authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=444
Re: client-side support for Negotiate authentication scheme
Hi Jerome Thanks for pointing out the necessary steps. I'll wait until Bruno's code has been contributed to the repository and then do my part. Best regards, Roman Jerome Louvel wrote: Hi Roman, Bruno and all, Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk. Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it. "Support SPNEGO authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=444 It is indeed very important to be careful as soon as we copy and paste somebody else code, even for private play, as it might at some point leak out of our computers. Fortunately in this case Bruno is a gentleman :-) Roman, if we want to reuse your work to support SPNEGO in Restlet 1.2, here is the proper legal process that you will need to follow: - hope that Bruno (actually University of Manchester) effectively decides to contribute the original code to the Restlet project - wait for the code to be effectively contributed (ex: attached to the RFE or checked in SVN trunk) - based on this code, reapply your changes (or make sure Bruno's code hasn't changed since you worked on it!) - sign a Restlet JCA (see http://www.restlet.org/community/contribute) - contribute your changes as a patch or a set of new files It might seems like painful/useless legal work but it is in fact essential to keep Restlet copyright clean and to respect the rights of all copyright holders. Best regards, Jérôme Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org <http://www.restlet.org/> Noelios Technologies ~ Co-founder ~ http://www.noelios.com <http://www.noelios.com/> *De :* Thierry Boileau [mailto:[EMAIL PROTECTED] *Envoyé :* jeudi 11 septembre 2008 11:59 *À :* discuss@restlet.tigris.org *Objet :* Re: client-side support for Negotiate authentication scheme Mail sent on the 08/28 and apparently lost. --- Hi Stephan, Roman, I think we will wait for the end of the vacations of Jérôme (11th of september). Anyway, thanks Roman for your effort! best regards, Thierry Boileau Stephan Koops a écrit : Hi Roman, nice for the code. Because I only changes the code of the JAX-RS extension, this is a job for Jerome or Thierry. I hope they will include it. best regards Stephan Roman Geus schrieb: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman
RE: client-side support for Negotiate authentication scheme
Hi Roman, Bruno and all, Roman, thanks for reporting this parsing bug with WWW-Authenticate HTTP header. I have just fixed it in SVN trunk. Regarding the support for SPNEGO, I've updated the related RFE with a link to Bruno's original filter and another one back to this thread. I've also changed the target milestone of this RFE to 1.2 as it seems there is a good chance we could effectively add support for it. "Support SPNEGO authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=444 It is indeed very important to be careful as soon as we copy and paste somebody else code, even for private play, as it might at some point leak out of our computers. Fortunately in this case Bruno is a gentleman :-) Roman, if we want to reuse your work to support SPNEGO in Restlet 1.2, here is the proper legal process that you will need to follow: - hope that Bruno (actually University of Manchester) effectively decides to contribute the original code to the Restlet project - wait for the code to be effectively contributed (ex: attached to the RFE or checked in SVN trunk) - based on this code, reapply your changes (or make sure Bruno's code hasn't changed since you worked on it!) - sign a Restlet JCA (see http://www.restlet.org/community/contribute) - contribute your changes as a patch or a set of new files It might seems like painful/useless legal work but it is in fact essential to keep Restlet copyright clean and to respect the rights of all copyright holders. Best regards, Jérôme Louvel -- Restlet ~ Founder and Lead developer ~ <http://www.restlet.org/> http://www.restlet.org Noelios Technologies ~ Co-founder ~ <http://www.noelios.com/> http://www.noelios.com _ De : Thierry Boileau [mailto:[EMAIL PROTECTED] Envoyé : jeudi 11 septembre 2008 11:59 À : discuss@restlet.tigris.org Objet : Re: client-side support for Negotiate authentication scheme Mail sent on the 08/28 and apparently lost. --- Hi Stephan, Roman, I think we will wait for the end of the vacations of Jérôme (11th of september). Anyway, thanks Roman for your effort! best regards, Thierry Boileau Stephan Koops a écrit : Hi Roman, nice for the code. Because I only changes the code of the JAX-RS extension, this is a job for Jerome or Thierry. I hope they will include it. best regards Stephan Roman Geus schrieb: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHead er() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman
Re: client-side support for Negotiate authentication scheme
Mail sent on the 08/28 and apparently lost. --- Hi Stephan, Roman, I think we will wait for the end of the vacations of Jérôme (11th of september). Anyway, thanks Roman for your effort! best regards, Thierry Boileau Stephan Koops a écrit : Hi Roman, nice for the code. Because I only changes the code of the JAX-RS extension, this is a job for Jerome or Thierry. I hope they will include it. best regards Stephan Roman Geus schrieb: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman
Re: client-side support for Negotiate authentication scheme
Hi Roman, Roman Geus wrote: Hello Bruno I'm sorry about not paying more attention to the licensing issues. I meant no harm and I am certainly not trying to take credit for your work. Just to explain: the code I posted is not a quick rip-off of your filter. I put considerable amount of time into rewriting, refactoring and adding new functionality. It was my understanding that NegotiateFilter would not fall into category of "redistribution" or "modification" of your SpnegoFilter and thus not violate the copyright. However I'm not experienced in these legal matters. Don't worry, I'm not upset, it's nice of you to have acknowledged my work and I do realise you've done some substantial work on this too. It's some code that I've planned to contribute to Restlet anyway at some point, so it's not a major issue, but I have signed the Restlet JCA; I'm not sure you have. I'm not a legal expert either, but I think it would have been in your interest to send your code with a licence (pending JCA integration), since many people might assume that what is made public is in the public domain (although I don't think it legally is -- it's probably the opposite, but a licence would clarify things). This is in fact why I put this licence on my code in the first place (also because the copyright is actually held by my employer), not because I didn't want it in the Restlet code. My understanding of the (BSD) licence I've used is that putting it at the bottom of the README file saying something like "some of this code was based on code distributed with this licence: ..." would have been sufficient. As the (representative of the) copyright holder, this is something that only I (or another representative) can waive when contributing through the Restlet JCA, which I'm happy to do in this instance. Cheers, Bruno.
Re: client-side support for Negotiate authentication scheme
Hello Bruno I'm sorry about not paying more attention to the licensing issues. I meant no harm and I am certainly not trying to take credit for your work. Just to explain: the code I posted is not a quick rip-off of your filter. I put considerable amount of time into rewriting, refactoring and adding new functionality. It was my understanding that NegotiateFilter would not fall into category of "redistribution" or "modification" of your SpnegoFilter and thus not violate the copyright. However I'm not experienced in these legal matters. I would like to thank you again for sharing your code. Without it, it would have taken me a much longer time to get Negotiate authentication working. Regards, Roman Bruno Harbulot wrote: Hi Roman, When you take someone else's code and modify it, you might want to look at the beginning of the file (or the licence file), especially when you post a file to a public mailing list and thus have no chance of being able to amend it once archived: Copyright (c) 2008, The University of Manchester, United Kingdom. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the The University of Manchester nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This being said, I'm glad you found it useful. In principle, I'm in favour of including it into the Restlet code. However, the reason I published it separately in the first place was because it was a small prototype and I felt this feature should be part of a wider rethink of the Guard-related classes. This is an objective that Jerome set for Restlet 1.2, so let's wait for 1.1 final first, although of course we can already start to talk about it and experiment with new features. Cheers, Bruno. Roman Geus wrote: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman
Re: client-side support for Negotiate authentication scheme
Hi Roman, When you take someone else's code and modify it, you might want to look at the beginning of the file (or the licence file), especially when you post a file to a public mailing list and thus have no chance of being able to amend it once archived: Copyright (c) 2008, The University of Manchester, United Kingdom. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the The University of Manchester nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This being said, I'm glad you found it useful. In principle, I'm in favour of including it into the Restlet code. However, the reason I published it separately in the first place was because it was a small prototype and I felt this feature should be part of a wider rethink of the Guard-related classes. This is an objective that Jerome set for Restlet 1.2, so let's wait for 1.1 final first, although of course we can already start to talk about it and experiment with new features. Cheers, Bruno. Roman Geus wrote: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman
Re: client-side support for Negotiate authentication scheme
Hi Roman, nice for the code. Because I only changes the code of the JAX-RS extension, this is a job for Jerome or Thierry. I hope they will include it. best regards Stephan Roman Geus schrieb: Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman
Re: client-side support for Negotiate authentication scheme
Hi Stephan The NegotiateFilter, together with an example client and server is attached to this post. You are free to add this code to the Restlet codebase if you find it useful. Since I borrowed some ideas and code from Bruno Harbulot's SpnegoFilter, he should be consulted as well. Also IMHO more testing is needed. The README file: NegotiateFilter is a Restlet filter that implements Negotiate and Basic authentication on both the client and the server side. The server accepts both SPNEGO and Kerberos v5 GSSAPI tokens. It comes with a runnable test client and test server. The code has only been tested in a Windows Active Directory environment but should work with any Kerberos v5 infrastructure. The code has been tested with Restlet 1.1rc1 with a patched version of the com.noelios.restlet.authentication.AuthenticationUtils.parseAuthenticateHeader() method (see mailing list). The jaas.conf file and the some constants in ExampleClient.java and some system properties contain site-specific information and need to be adjusted. Also a working keytab file and krb5.conf file (or similar) are needed. See the *.launch file for information how to set the system properties. NegotiateFilter is based on Bruno Harbulot's SpnegoFilter. Roman Geus Cheers, Roman Stephan Koops wrote: Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman negotiatefilter_example.tar.gz Description: GNU Zip compressed data
Re: client-side support for Negotiate authentication scheme
Hi Roman, cool. Could you share the full filter class(es?) to be added to the Restlet API? best regards Stephan Roman Geus schrieb: Hi all I have been working on a Filter that implements client and server side HTTP Negotiate and Basic authentication. The code is based on Bruno Harbulot's nice SpnegoFilter. Everything works fine so far. However to get the client-side authentication working I had to change the parseAuthenticateHeader() method in the com.noelios.restlet.authentication.AuthenticationUtils class a bit. The original implementation (version 1.1rc1) fails to locate the correct AuthenticationHelper, if the realm parameter is missing in the authenticate header, as e.g. for the Negotiate scheme. Would it be possible to fix for this problem? The diff for my quick fix is attached. Best regards, Roman